Trying to setup two ethernet cards with two websites

Trying to setup two ethernet cards with two websites

[JUSTIN GERRY]

I am attempting to setup two websites with two ip address, each one on a
different ethernet card/interface.

It only seems to work for the first rule (first listed ip address) that
gets matched up, so I can get one website to work but not the other. How
do I write this so it covers both address and allows httpd to go to
either interface or either address? Can I write a single rule to match a
range of ip addresses (.93 and .94) instead of writing one for each
individual address? 

This is what I have so far for testing.....

IF1="eth0"
IF2="eth1"
IP2="172.30.12.93"
IP1="172.30.12.94"
UNPRIVPORTS="1024:65535"

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1 --dport
80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2 --dport
80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1 --dport
80 -j ACCEPT
iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2 --dport
80 -j ACCEPT
iptables -A OUTPUT -o $IF2 -p tcp ! --syn -s $IP2 --sport 80 --dport
$UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $IF1 -p tcp ! --syn -s $IP1 --sport 80 --dport
$UNPRIVPORTS -j ACCEPT

Thanks,
Justin

Re: Trying to setup two ethernet cards with two websites

[Roy Sigurd Karlsbakk]

On Tuesday, December 31, 2002, at 05:29 PM, JUSTIN GERRY wrote:

> I am attempting to setup two websites with two ip address, each one on 
> a
> different ethernet card/interface.
>
> It only seems to work for the first rule (first listed ip address) that
> gets matched up, so I can get one website to work but not the other. 
> How
> do I write this so it covers both address and allows httpd to go to
> either interface or either address? Can I write a single rule to match 
> a
> range of ip addresses (.93 and .94) instead of writing one for each
> individual address?
>
> This is what I have so far for testing.....
>
> IF1="eth0"
> IF2="eth1"
> IP2="172.30.12.93"
> IP1="172.30.12.94"
> UNPRIVPORTS="1024:65535"
>
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

the two below...
> iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1 --dport
> 80 -m state --state NEW -j ACCEPT
> iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2 --dport
> 80 -m state --state NEW -j ACCEPT

...are included in these two, so you won't need both. You probably 
don't want those below, as they accept anything regardless to state.

> iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1 --dport
> 80 -j ACCEPT
> iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2 --dport
> 80 -j ACCEPT

are these really nessecary? with -P DROP, this'll deny any outgoing 
connections at all, regardless of protocol. It'll even drop ICMP 
packets, something you probably don't want.

> iptables -A OUTPUT -o $IF2 -p tcp ! --syn -s $IP2 --sport 80 --dport
> $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $IF1 -p tcp ! --syn -s $IP1 --sport 80 --dport
> $UNPRIVPORTS -j ACCEPT

To allow for multiple hosts in a rule, you can specify a mask (or 
number of bits). For instance:
# iptables -s 10.0.0.0/31
will match 10.0.0.0 and 10.0.0.1. .93 and .94, however, overlaps this 
and needs to be allowed for specifically.

so - try first with -P OUTPUT -j ACCEPT, and no rules in the OUTPUT 
chain. It shouldn't be any problem then.

roy

Re: Trying to setup two ethernet cards with two websites

[JUSTIN GERRY]

I tried your suggestions below and yes, I finally have two websites
working on the same box. Simplifying things does indeed work.

Is there a way to, by default drop everything on the output chain, but
insert a rule to allow only http requests that were initialed by a
client to either website? 

Or if my input rules are sufficient, do I really need to do anything on
the output chain other than let everthing out?

Thanks,
Justin

>>> Roy Sigurd Karlsbakk <roy@karlsbakk.net> 12/31 1:49 PM >>>

On Tuesday, December 31, 2002, at 05:29 PM, JUSTIN GERRY wrote:

> I am attempting to setup two websites with two ip address, each one
on 
> a
> different ethernet card/interface.
>
> It only seems to work for the first rule (first listed ip address)
that
> gets matched up, so I can get one website to work but not the other.

> How
> do I write this so it covers both address and allows httpd to go to
> either interface or either address? Can I write a single rule to
match 
> a
> range of ip addresses (.93 and .94) instead of writing one for each
> individual address?
>
> This is what I have so far for testing.....
>
> IF1="eth0"
> IF2="eth1"
> IP2="172.30.12.93"
> IP1="172.30.12.94"
> UNPRIVPORTS="1024:65535"
>
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

the two below...
> iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1
--dport
> 80 -m state --state NEW -j ACCEPT
> iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2
--dport
> 80 -m state --state NEW -j ACCEPT

...are included in these two, so you won't need both. You probably 
don't want those below, as they accept anything regardless to state.

> iptables -A INPUT -i $IF1 -p tcp --sport $UNPRIVPORTS -d $IP1
--dport
> 80 -j ACCEPT
> iptables -A INPUT -i $IF2 -p tcp --sport $UNPRIVPORTS -d $IP2
--dport
> 80 -j ACCEPT

are these really nessecary? with -P DROP, this'll deny any outgoing 
connections at all, regardless of protocol. It'll even drop ICMP 
packets, something you probably don't want.

> iptables -A OUTPUT -o $IF2 -p tcp ! --syn -s $IP2 --sport 80 --dport
> $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $IF1 -p tcp ! --syn -s $IP1 --sport 80 --dport
> $UNPRIVPORTS -j ACCEPT

To allow for multiple hosts in a rule, you can specify a mask (or 
number of bits). For instance:
# iptables -s 10.0.0.0/31
will match 10.0.0.0 and 10.0.0.1. .93 and .94, however, overlaps this 
and needs to be allowed for specifically.

so - try first with -P OUTPUT -j ACCEPT, and no rules in the OUTPUT 
chain. It shouldn't be any problem then.

roy

Re: Trying to setup two ethernet cards with two websites

[Joel Newkirk]

On Thursday 02 January 2003 09:49 am, JUSTIN GERRY wrote:
> I tried your suggestions below and yes, I finally have two websites
> working on the same box. Simplifying things does indeed work.
>
> Is there a way to, by default drop everything on the output chain, but
> insert a rule to allow only http requests that were initialed by a
> client to either website?
>
> Or if my input rules are sufficient, do I really need to do anything
> on the output chain other than let everthing out?
>
> Thanks,
> Justin

If you trust that nothing on the box is or ever will connect that you 
don't want to, then output chain can just have an ACCEPT policy.  If you 
want to lock down to make it harder for a trojan or such to communicate 
back from the box, you can set a DROP policy, then:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

will let traffic back out in response to client requests, but not let the 
box initiate any connections.  If this tighter firewall still allows the 
needed connections, why open up any further?  I'd suggest you might want 
to log dropped output traffic, though, to see what DOES try to get out.  
Depending on your usage and plans, you might want to open a few 
outbounds, like traceroute, ping, CVS, http, or ftp access FROM the box 
if you want to use these services when logged into the box, for updating 
software etc.  Of course you can just allow those connections when 
needed, and the rest of the time go with DROP policy and the EST/REL 
rule above.

j

Re: Trying to setup two ethernet cards with two websites

[Roy Sigurd Karlsbakk]

> If you trust that nothing on the box is or ever will connect that you
> don't want to, then output chain can just have an ACCEPT policy.  If 
> you
> want to lock down to make it harder for a trojan or such to communicate
> back from the box, you can set a DROP policy, then:
>
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

just remember to allow incoming ICMP. Please? ICMP _is_ an integral 
part of IP, and shouldn't be blocked out!
You can do

iptables -I INPUT -p icmp -j REJECT --reject-with echo-reply

to answer all pings to hosts behind with echo reply (just fake it) in 
case you're afraid of anyone scanning you.

you might add a -limit as well to prevent them DoSing you (man iptables)

roy

> will let traffic back out in response to client requests, but not let 
> the
> box initiate any connections.  If this tighter firewall still allows 
> the
> needed connections, why open up any further?  I'd suggest you might 
> want
> to log dropped output traffic, though, to see what DOES try to get out.
> Depending on your usage and plans, you might want to open a few
> outbounds, like traceroute, ping, CVS, http, or ftp access FROM the box
> if you want to use these services when logged into the box, for 
> updating
> software etc.  Of course you can just allow those connections when
> needed, and the rest of the time go with DROP policy and the EST/REL
> rule above.
>
> j
>
>

Re: Trying to setup two ethernet cards with two websites

[Joel Newkirk]

On Friday 03 January 2003 07:23 am, Roy Sigurd Karlsbakk wrote:
> > If you trust that nothing on the box is or ever will connect that
> > you don't want to, then output chain can just have an ACCEPT policy.
> >  If you
> > want to lock down to make it harder for a trojan or such to
> > communicate back from the box, you can set a DROP policy, then:
> >
> > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> just remember to allow incoming ICMP. Please? ICMP _is_ an integral
> part of IP, and shouldn't be blocked out!

The RELATED state does just this.  If you allow absolutely nothing in but 
tcp 80 and established, and absolutely nothing out but established, only 
the port 80 request and reply will get through.  If you also allow 
related out then so long as an 'established' connection exists then 
supplementary connections are accepted as well, like ICMP fragmentation 
control stuff.  The only /initial/ connection allowed in this 
mini-scenario is to destination port 80 with TCP, but once that 
connection is flowing then the server would be allowed to send related 
packets to the same client, even other ports or protocols, and they will 
get through regardless of whether they are explicitly accepted or 
explicitly dropped by the firewall.  That is the basic purpose of the 
RELATED state.  It's extended with helpers too consider things like FTP 
data to be related to FTP control, and the NAT functions are extended as 
well, but the whole idea of RELATED is to let through stuff that is, 
well, related.

j

Re: Trying to setup two ethernet cards with two websites

[JUSTIN GERRY]

To streamline the firewall I am writing, can I be safe to assume that:

CLASS_A="10.0.0.0/8" 
IF1="eth0"
IF2="eth1"

(For example, I will drop anything claiming to be from a Class A
Private Network on either interface)
iptables -A INPUT  -i $IF1 -s $CLASS_A -j DROP
iptables -A INPUT  -i $IF2 -s $CLASS_A -j DROP

can be written in one line as:
iptables -A INPUT -s $CLASS_A -j DROP

This way by not specifying the interface (as it can come from either
eth0 or eth1) it will stop completely drop any requests claiming to be
from a class A private network?

Many thanks,
Justin

Re: Trying to setup two ethernet cards with two websites

[Athanasius]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

On Thu, Jan 02, 2003 at 03:25:21PM -0500, JUSTIN GERRY wrote:
> (For example, I will drop anything claiming to be from a Class A
> Private Network on either interface)
> iptables -A INPUT  -i $IF1 -s $CLASS_A -j DROP
> iptables -A INPUT  -i $IF2 -s $CLASS_A -j DROP
> 
> can be written in one line as:
> iptables -A INPUT -s $CLASS_A -j DROP

  Yes, any field like -i or -s or -d when NOT specified defaults to
'any'.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

RE: Trying to setup two ethernet cards with two websites

[Rob Sterenborg]

> To streamline the firewall I am writing, can I be safe to
> assume that:
>
> CLASS_A="10.0.0.0/8"
> IF1="eth0"
> IF2="eth1"
>
> (For example, I will drop anything claiming to be from a Class A
> Private Network on either interface)
> iptables -A INPUT  -i $IF1 -s $CLASS_A -j DROP
> iptables -A INPUT  -i $IF2 -s $CLASS_A -j DROP
>
> can be written in one line as:
> iptables -A INPUT -s $CLASS_A -j DROP

Yes.
You'd only specify the incoming interface if you were to expect
$CLASS_A on one interface, but not on the other interface. If you
don't specify -i, iptables won't match the incoming interface, so it
would only look at the source address.


Rob

Re: Trying to setup two ethernet cards with two websites

[Roy Sigurd Karlsbakk]

> To streamline the firewall I am writing, can I be safe to assume that:
>
> CLASS_A="10.0.0.0/8"
> IF1="eth0"
> IF2="eth1"
>
> (For example, I will drop anything claiming to be from a Class A
> Private Network on either interface)
> iptables -A INPUT  -i $IF1 -s $CLASS_A -j DROP
> iptables -A INPUT  -i $IF2 -s $CLASS_A -j DROP
>
> can be written in one line as:
> iptables -A INPUT -s $CLASS_A -j DROP
>
> This way by not specifying the interface (as it can come from either
> eth0 or eth1) it will stop completely drop any requests claiming to be
> from a class A private network?

sure. then just add 192.168/16 and 172.16/12 ;-)